The proliferation of the use of the Internet by businesses for retailing, business to business communications and/or having a Web presence for marketing has significantly increased problems faced by those who manage the internal networks of those businesses. In particular, more and more businesses are implementing de-militarized zones (DMZs), or firewall protected areas, that may sit between, for example, the company's network operation center (NOC) and the Internet. In other words, the NOC is segregated from the DMZ. For example, DMZs are being established between cooperating businesses. Businesses may need to share information, process orders or manage inventory between them. In order to accomplish these tasks, the different companies may need access to the same systems. The common network configuration for this shared environment may use a set of network computing devices that are separated by firewalls from both companies so that each can access the common systems, but not have access to the others private networks. Management of the DMZs provides a unique problem for those that manage the networks, because the firewall typically blocks management traffic.
DMZs may also be used within businesses to segment user communities for security purposes. For example, a company may want to keep its accounting department securely separated from its engineering department. The use of a DMZ may decrease the risk of losses due to corporate espionage, computer hacking, malicious employee action and the like. Thus, as businesses become more security conscious, the use of DMZs is becoming more prevalent. As the need for DMZs increases, the need to manage the devices within these areas generally also increases.
A network operations center (NOC) is typically the center of network management activity within a company. The NOC, especially in large company, is typically a sophisticated and complex combination of hardware, software and personnel. In many cases, the NOC is responsible for managing servers, networking equipment, operating systems, and software applications. Thus, it is typically an on-going challenge for NOC personnel to manage the company's environment no matter how it is configured or segregated. Some companies may have multiple NOCs depending on how they manage their environment. For example, NOCs may be separated geographically, by management function, for purposes of segregation and the like. The use of multiple NOCs may further complicate the management of these networks for NOC personnel.
To properly manage a network the NOC typically has the ability to probe and collect information from the network devices in order to monitor them properly. Electronic attacks on a company's network(s) from outside the company's network as well as from within the company's network are rapidly becoming a major concern for network security personnel. Thus, the security personnel typically try to decrease access to and from any area or limit communications that could compromise the security of the network.
Thus, a conflict arises between the NOC personnel and the security personnel. In particular, the conflict generally arises due to the requirements of the NOC to probe and collect information from the network devices and the need for network security personnel to limit communication to and from any area that may compromise security. In other words, problems may arise due to network segregation, which may cause problems when management information needs to be conveyed between segregated areas, for example, the NOC and the DMZ.
In particular, the DMZ is inherently insecure as it allows the outside world to access at least a portion of the company's network. Thus, the conflict arises here from the security team's interest in securing the company's network from being accessed through the DMZ and the NOCs need to manage the entire private network including devices located in the DMZ. Accordingly, the NOC needs some ability to view the devices in the DMZ, collect data from these devices and monitor these devices for operability, without creating a security breach incompatible with the mission of the security personnel. Furthermore, companies may use a variety of network management tools, for example, HP OpenView, IBM NetView, Micromuse NetCool, CA Unicenter, Concord NetHealth, NetScout nGenius and the like, to manage their networks. Many times one company will use multiple tools from different vendors; thus, there may be a need for multiple tools to be able to manage devices across the company's network and possibly within a DMZ itself.
To address the problems discussed above, management related network traffic may be allowed through the firewall to monitor the DMZ devices. For example, the firewall could be configured to allow communications between the DMZ devices and a network management station (NMS) in the company's internal network. Thus, the NMS could use, for example, internet control message protocol (ICMP) and simple network management protocol (SNMP) polling across the firewall to communicate with devices in the DMZ through the firewall to determine, for example, if the devices are available. However, although this approach may be acceptable to the NOC personnel, the security team may object to this approach because ICMP and SNMP are typically very insecure protocols, which can be, for example, spoofed by hackers to send potentially harmful information directly to the NMS.
Another approach that may be used to address the problems discussed above would be to place vendor proprietary agents/tools in the DMZ. The tools offered by various vendors vary; however, there are two main types of tools. In particular, a remote polling station within the DMZ and agents residing on the DMZ devices themselves. If a remote polling station is used, the remote polling station may be configured to poll the devices in the DMZ and send the responses back to the NMS. To enable this approach, a small number of firewall ports may be configured to allow direct communication between the polling station and the NMS. This approach may be acceptable to the security team if the number of firewall ports is not excessive and encrypted TCP connections are used. However, NOC personnel may object to this solution if they use multiple network management tools from several vendors, as a single vendor remote polling station may not be sufficient.
If agents residing on the DMZ devices themselves are used, the agents residing on the DMZ devices would need to be individually installed and maintained on each DMZ device. The NMS could then communicate with each agent to check the status of each DMZ device. Thus, the firewall would need to be configured to allow communication between each DMZ device and the NMS. The amount of configuration needed for each vendor agent to communicate with the NMS may be excessive, which may make this solution unacceptable to the security personnel. In particular, the firewall configuration may need to be modified for each new DMZ device, adding complexity and increasing the number of connections through the firewall. This solution may also be unacceptable to the NOC personnel, as it requires deployment and configuration of an agent for each device. The use of individual agents may also force the NOC to use a particular vendor tool set, which may make it difficult to change vendors in the future or support a plurality of customer DMZ access tools.